Symptoms

A Parallels Business Automation - Standard (PBA-S) product security audit revealed a CSRF vulnerability that allows an attacker to target an administrator via a specially prepared web page. The consequences of the attack may include remote code execution and session hijacking of the PBA-S administrator account.

Another vulnerability is the open API on 80 port that allows attackers to perform almost any action by bypassing authorization.

The fix for these vulnerabilities will be included in a future update. However, taking into account the high risk nature of the vulnerabilities, we strongly recommend that PBA-S providers running PBA-S 4.3 and 4.5 install the hotfixes below.

Resolution

Please apply the following hotfixes for both vulnerabilities:

For the CSRF issue:

Download the hotfix installer and run it on a PBA-S node. The installer downloads all necessary patches and installs them.

This means the API directory will not be accessible to anyone on the default port (80) - all access must be denied. If you are using a remote PBA-S store or some kind of API customization, use an SSL channel as described in the PBA-S SDK documentation section 4.